Tap Bai Giang an Ninh Internet 5
-
Upload
hai-ho-tan -
Category
Documents
-
view
225 -
download
0
Transcript of Tap Bai Giang an Ninh Internet 5
-
8/3/2019 Tap Bai Giang an Ninh Internet 5
1/31
Chng 5: An ninh Internet da trn IDS&IPS
CHNG 5
AN NINH INTERNET DA TRN IDS&IPS
A. MC TIU CHNG
1. V KIN THC:
Cung cp cho sinh vin nhng kin thc v:
- Cc h thng IDS&IPS
- S khc nhau gia HIDS v NIDS
- Vai tr ca IDS&IPS trong chnh sch m bo an ninh cho mng ni b
- Cu hnh ca cc h thng NIDS v IPS
2. V K NNG:
Sau khi hc xong chng ny sinh vin c th:
- Phn bit cc loi IDS
- Phn bit s khc nhau v vai tr gia IDS v IPS
- Xy dng cc h thng m bo an ninh da trn IDS v IPS
Su tm/Bin son: Nguyn Kim Tun 99
-
8/3/2019 Tap Bai Giang an Ninh Internet 5
2/31
Chng 5: An ninh Internet da trn IDS&IPS
B. NI DUNG CHNG HC
V.1. Gii thiu v phn loi IDS
V.1.1. Gii thiu v IDS & IPS
Pht hin xm nhp l mt trong nhng cng c bo mt mng, n dng bo v
mng T chc trc nhng s tn cng, n c th nhn dng mt hacker v chng li
vic xm nhp ca hacker h thng. Trc khi tho lun chi tit v pht hin xm nhp,
chng ta xem xt n trn kha cnh thc t.
H thng pht hin xm nhp (Intrusion Detection System - IDS): l mt khi
nim xut hin t rt lu. Mt trong nhng dng sm nht l: nhng ngi gc m
v nhng con ch canh cng. Trong trng hp ny, nhng ngi gc m v nhng con
ch canh cng phc v cho 2 chc nng l: cung cp nhng phng tin nhn ra
nhng iu bt thng xy ra v cung cp nhng phng tin ngn chn th phm.
Thng th k trm khng my mn m vi vic i ph vi nhng ch ch, v th chng
thng khng tin hnh ly trm nhng to nh c canh gi bi nhng ch ch.
iu cng hon ton ging vi vic i ph vi nhng ngi gc m. Nhng tn
trm cng khng mun b pht gic bi mt ngi gc m.
H thng bo ng trm v h thng bo ng ca xe hi cng l mt trong nhng
dng ca IDS. Nu h thng bo ng pht hin ra mt s vic bt thng th n s a
ra thng bo (nh vic p v ca s hoc m mt ca ra vo): h thng s c n bt
sng nhp nhy ln, mt m thanh bo ng c ct ln, hoc l t ng bo ng gi
cho cnh st. Chc nng ngn chn c th c gn ca ra vo hoc pha trc sn nh.
Cc xe hi thng c mt ci n nhn thy c trn bng iu khin l du hiu
cho bit h thng bo ng hot ng.
Tt c nhng v d ny u cho thy mt vn n gin vi mc ch ch cht
sau: pht hin ra nhng s xm nhp vo phm vi c bo v ca cc i tng c
bo v (thng mi, nh ca, xe hi, v nhiu th khc). Trong trng hp cc to nh
hay mt chic xe hi th phm vi bo v d dng c nhn dng. Nhng bc tng ca
ngi nh, mt hng ro xung quanh t ai, hay nhng ci ca ra vo, ca s ca xe hi
lm r nh ngha v phm vi bo v. Ngoi ra, cc v d trn cn nh ngha mt cch
d hiu v cc tiu chun dnh cho vic cu thnh ln mt s xm nhp v nhng cu
Su tm/Bin son: Nguyn Kim Tun 100
-
8/3/2019 Tap Bai Giang an Ninh Internet 5
3/31
Chng 5: An ninh Internet da trn IDS&IPS
thnh ln phm vi bo v.
Nu chng ta em khi nim ca h thng bo ng vo th gii my vi tnh, th
chng ta s c c mt khi nim c bn v IDS. By gi, chng ta cn phi nh ngha
phm vi bo mt ca h thng my vi tnh ca chng ta l g? R rng, phm vi bo mt y khng tn ti ging nh nhng bc tng hay nhng hng ro. Thay v iu ,
phm vi bo mt ca mng c cp n l mt phm vi o xung quanh h thng my
vi tnh ca mt t chc. Phm vi ny c th c nh ngha bi: Firewalls, telecom
demarcation points, hoc destop computer vi cc moderm. N cng c th c m
rng n nhng my vi tnh gia nh ca nhng ngi lao ng, ngi m c php lin
lc t xa hoc mt i tc thng mi c php kt ni vo Internet. Ngoi ra, vi mng
khng dy cng vi th gii thng mi phm vi bo mt ca cc t chc c th c m
rng ra phm vi mng khng dy.
Hnh 5.1: Mt v d v v tr ca IDS
Mt h thng bo ng c thit k pht hin ra cc hot ng xm nhp vo
nhng khu vc c bo v khi n khng c s trng coi. Mt IDS c thit k phn
bit s khc nhau gia mt im vo c u quyn v mt nguy c xm nhp, iu
ny tht kh khn. Mt v d d hiu minh ho l: mt kho bu c gn h thng
bo ng. Nu mt ai , k c ch nhn ca n m ca kho bu th chung bo ng s
reo ln. Ngi ch nhn ny cn phi thng bo cho cng ty bo ng rng anh ta m
ca kho bu ra v tt c mi th cn nguyn vn. Mt IDS cng tng t nh th n lun
cnh gic pha trc ca cnh ca v quan st mi ngi bo h kho v tm kim cc
nguy c xm nhp.
C 2 loi IDS, l: Host-based intrucion detection system (HIDS) and
Su tm/Bin son: Nguyn Kim Tun 101
-
8/3/2019 Tap Bai Giang an Ninh Internet 5
4/31
Chng 5: An ninh Internet da trn IDS&IPS
Netword-based intrucion detection system (NIDS). Mi HIDS c t trn mt
Server pht hin cc du hiu ca s tn cng qua cc host. Mt NIDS c t trn
mt h thng tch ri quan st lu lng mng, quan st cc du hiu tn cng vo cc
cng mng.V.1.2. IDS da trn host (HIDS: Host-based IDS)
Host-based IDS (HIDS): l mt h thng cc cm bin n c t trn cc
server khc nhau trong mng T chc v c iu khin bi ngi qun l trung tm.
Cc cm bin c th pht hin cc s kin khc nhau v xem xt cc hot ng trn
server hoc a ra li thng bo. Cc cm bin HIDS s xem xt cc s kin kt hp
vi cc server m n c t trn . Cc cm bin HIDS cng c kh nng quyt nhc hay khng mt cuc tn cng thnh cng k t khi cuc tn cng c tin hnh.
Nh chng ta thy, nhng khc nhau ca cc cm bin HIDS cho php chng
ta thy c s khc nhau ca cc mc ch ca IDS. Khng c mt loi cm bin no
thch hp vi mi t chc hoc k c vi mi server trong t chc . Nh vy, iu
quan trng l cn phi xc nh c cc cm bin thch hp nht cho mi server. Cng
cn phi ch rng, mt h thng HIDS s c chi ph nhiu hn mt h thng NIDS nu
nh mi server phi c mt b cm bin.
Mt vn khc ca h thng HIDS l: mt b cm bin chy trn mt server
c th chim t 5% n 15% cng sut ca CPU. Nu b cm bin c s dng trn
mt h thng ln, th iu ny c th lm nh hng n vic thc thi ca h thng.
C 5 loi cm bin HIDS c bn:
Phn tch log (Log analyzers)
Cc cm bin da trn ch k (Signature-based sensors)
Phn tch li gi h thng (System call analyzers)
Phn tch hnh vi ca ng dng (Application behavior analyzers)
Gim st tnh ton vn (File integrity checkers)
Cn phi lu rng s lng cc cm bin HIDS ngy cng gia tng v c nhiu
sn phm s dng cc chc nng v hnh vi ca chng da trn mt trong nm loi
cm bin c bn ni trn.
Phn tch log (Log Analyzers):
Su tm/Bin son: Nguyn Kim Tun 102
-
8/3/2019 Tap Bai Giang an Ninh Internet 5
5/31
Chng 5: An ninh Internet da trn IDS&IPS
Log analyzer, l mt tin trnh chy trn server v quan st cc file log thch hp
ca h thng. Nu mt mc vo xut hin khng khp vi nhng tiu chun ca cc tin
trnh cm bin HIDS th s b gi li.
a s Log analyzers c cu hnh tm kim cc mc vo log, m c th ch ramt s kin bo mt. Ngoi ra, ngi qun tr h thng phi thng xuyn nh ngha cc
mc vo khc, iu ny rt quan trng.
Log analyzers l phn ng t nhin ca cc h thng. Hay ni cch khc, chng
phn ng li s thay i ca mt s kin xy ra.V vy, cn phi a ra cc thng bo
v nhng tho hip ca h thng. Trong a s cc trng hp, log analyzers khng c
kh nng ngn cn mt cuc tn cng tho hip thnh cng vi h thng.
Log analyzers l mt cch c bit hiu qu thch hp vi vic theo di hot ng
ca nhng ngi dng u quyn trn nhng h thng bn trong. Nh vy, nu mt t
chc c lin quan n vic qun tr h thng hoc cc User u quyn khc ca h thng
th mt log analyzers c th c dng theo di hot ng v chuyn bn ghi ca hot
ng ny ti mt h thng nm ngoi phm vi ca ngi qun tr hoc ngi dng.
Cc cm bin da trn ch k (Signature-Based Sensors):
Signature-based sensors c mt tp hp cc ch k s kin an ton c gn sn
ph hp vi lu lng vo hoc cc mc vo. S khc nhau gia Signature-based sensers
v Log analyzers l kh nng phn tch lu lng vo.
Cc h thng da trn ch k c kh nng quan st cc cuc tn cng vo h
thng, v th chng c th a ra nhng b sung cho vic cnh bo v cc cuc tn cng.
Tuy nhin, s tn cng s thnh cng hoc tht bi trc khi cm bin HIDS c th nm
c cc hot ng c nhng cm bin phn ng li. Mt cm bin HIDS da trnch k cng c dng theo di cc ngi dng u quyn trn cc thng bn trong.
Phn tch li gi h thng (System Call Analyzers)
System call analyzers, l phn tch nhng li gi gia cc ng dng v h iu
hnh xc nh cc s kin an ton. Loi cm bin HIDS ny c t vo mt phn
mm c chm vo gia h iu hnh v cc ng dung. Khi mt ng dng mun thc
thi mt hot ng, li gi n h iu hnh thc thi mt hot ng c phn tch
v so snh vi c s d liu ca cc ch k (signatures). Nhng ch k ny l nhng
mu khc nhau ca cc hnh vi ch ra du hiu ca mt cuc tn cng hoc mt s kin
Su tm/Bin son: Nguyn Kim Tun 103
-
8/3/2019 Tap Bai Giang an Ninh Internet 5
6/31
Chng 5: An ninh Internet da trn IDS&IPS
no do ngi qun tr HIDS nh ngha.
System call analyzers khc vi Log analyzers v Signature-based HIDS sensors l
n c th ngn cn mt hot ng ang din ra. V d, nu mt ng dng thc hin mt
li gi tha hip vi ch k trn b nh m, th cm bin ny c th ngn cn li giny v ly mt khng gian b nh khc v lu li s tho hip ny vo h thng.
Ch : System call analyzers c cu hnh thch hp l mt vn quyt nh,
nu nh cu hnh khng thch hp c th l nguyn nhn tht bi ca cc ng dng. Cc
cm bin lm vic thng thng c cung cp mt kh nng chy trn m hnh th.
iu ny c ngha l cm bin ghi li cc s kin nhng li khng ly c cc hnh
ng cn phi ngn chn, v vy cu hnh c th c chy th mc d khng c cc ng
dng xc thc bi cc chc nng ca chng.
Application Behavior Analyzers:
Application behavior analyzers cng ging vi System call analyzers chng cng
thc thi mt phn mm c chm vo gia cc ng dng v h iu hnh. i vi
Application behavior analyzers, th cm bin s nghin cu cc cuc gi nu nh ng
dng c cho php. ng hn l thc hin cc hot ng nu nh n tm thy mt
cuc tn cng. V nh, mt server WEB nh thng l n cho php chp nhn cc kt
ni t mng cng 80. Nu mt server WEB c gng thc hin ghi file, c file t mt
ni khc, hoc m ra cc kt ni mng mi, th cm bin s xem xt cc hnh vi khng
thch hp v chn cc hot ng li.
Trong cu hnh cc cm bin, cn phi to ra mt danh sch cc hot ng hp l
ca mi ng dng. Cc nh cung cp cc sn phm ny thng c nhng mu hp l
dnh cho cc ng dng ph bin. Cc nhm pht trin ng dng s phi phn tch v
nghin cu nhng g h cho php lm v iu ny s phi lp trnh trn cc cm bin.
Gim st tnh ton vn (File Integrity Checkers):
File integrity checkers, l kim tra nhng thay i trn file. iu ny c hon
thnh thng qua vic s dng m ho Check Sum hoc Digital Signature ca file. Ch k
kt qu s b thay i nu nh c mt vi bt b thay i trong cu trc ca file Cc thut
ton dng cho qu trnh ny c pht trin tin hnh cc k kh khn i vi vic
thay i thch hp s cho php cc ch k ging nhau.
Trn cu hnh ban u ca cm bin, s thay i ca mi file s c theo di
Su tm/Bin son: Nguyn Kim Tun 104
-
8/3/2019 Tap Bai Giang an Ninh Internet 5
7/31
Chng 5: An ninh Internet da trn IDS&IPS
thng qua gii thut to ra mt ch k ban u. Ch k ny s c ct gi ti mt v
tr an ton. Theo nh k, mi ln theo di file s so snh ch k ca n vi bn chnh.
Nu chng ph hp, th file khng thay i. Nu chng khng ph hp th file c
s thay i.Ch : Kiu cm bin ny i hi vic cu hnh phi tt. Nu vic t chc khng
tt th cm bin s pht hin tt c nhng file thay i m thc t l file hp php.
Nhng cm bin khng nhn ra trc khi pht hin ra iu ny.
File integrity checker khng a ra bt k ch nh no v mt s xm nhp,
nhng n a ra kt qu chi tit ca cuc xm nhp. Nh vy, nu mt server Web b
xm nhp th chnh s xm nhp s khng b nhn ra, nhng nhng kiu tha hip ca h
thng khc th b pht hin v s xm nhp lm thay i file h thng.
V.1.3. IDS da trn mng (NIDS: Net-based IDS)
NIDS thc ra l mt phn mm x l dnh cho mt h thng phn cng chuyn
dng. NIDS c t trn card giao din mng trn h thng vi ch pha tp, c ngha
l card kim sot tt c lu lng trn mng (hn l ch lu lng dnh cho h thng )
ti phn mm NIDS. Lu lng c phn tch theo mt tp hp quy tc v cc ch k
tn cng xc nh phi chng l lu lng cn quan tm. Nu ng, th mt s kin
c pht sinh.
Hin ti, cc h thng NIDS ch yu da trn cc ch k. C ngha l mt tp hp
cc ch k tn cng c xy dng vo trong cc h thng v nhng ch k ny c
so snh da vo lu lng trn ng truyn. Nu mt cuc tn cng c trin khai
khng nm trong file ch k, th NIDS s khng nht n ln. Cc h thng NIDS cng
c kh nng gim st lu lng c bit lin quan n a ch ngun, a ch ch, cngngun, hoc cng ch. iu ny cho php cc t chc nh ngha lu lng kim sot
cc vn bn ngoi ca cc ch k tn cng.
Ch : Cc h thng NIDS da trn cc s kin bt thng bt u xut hin
trn th trng. Cc h thng ny tm kim nhng s bt thng trong lu lng mng
pht hin ra cc cuc tn cng. S hu dng ca loi h thng ny cha c kim chng
trong thc t.
Cu hnh ph bin nht nht cho mt NIDS l dng hai card giao din mng. Mt
card c dng kim sot mt mng. Card ny c t trong mt ch giu dim
Su tm/Bin son: Nguyn Kim Tun 105
-
8/3/2019 Tap Bai Giang an Ninh Internet 5
8/31
Chng 5: An ninh Internet da trn IDS&IPS
(stealthy) n khng c mt a ch IP bi vy khng p ng cc kt ni u vo. Card
stealthy khng c ranh gii ngn xp giao thc ti n, v vy n khng th tr li ti
mt s thm d nh mt lnh ping. Card th hai c dng giao tip vi h thng
qun l IDS v a ra nhng li cnh bo. Card ny c gn ti mt mng trongkhng th thy c bi mng c theo di.
Hnh 5.2: H thng mng vi cc NIDS
Thun li ca mt h thng NIDS:
NIDS c th c n i hon ton trn mng v vy mt k tn cng s khngbit c hn ang b kim sot.
NIDS n l c th c dng kim sot lu lng ln ca cc h thng
ch. NIDS c th bt gi ni dng ca hu ht cc gi tin i vo mt h thng ch.
Hn ch ca mt h thng NIDS:
NIDS ch c th bo ng khi lu lng mng khp vi cc qui tc trc khi
cu hnh hoc cc ch k. NIDS c th o khng ng lu lng ca bng thng c s dng hoc nh
Su tm/Bin son: Nguyn Kim Tun 106
-
8/3/2019 Tap Bai Giang an Ninh Internet 5
9/31
Chng 5: An ninh Internet da trn IDS&IPS
tuyn lun phin.
NIDS khng th a ra quyt nh khi mt cuc tn cng c thc hin
thnh cng. NIDS khng th kim sot c lu lng khi n c m ho.
Cc mng chuyn mch yu cu mt s cu hnh c bit NIDS c th thy
c tt c lu lng mng.
Kh c th so snh v hai loi IDS: C hai u c nhng thun li v hn ch
ring, trong khi NIDS c hiu qu v kinh t (NIDS n l c th kim sot lu lng
ln ca cc h thng), th HIDS c th thch hp vi nhng t chc c lin quan n
quyn s dng ca nhng ngi s dng trong t chc hn l dnh chng li cc
hacker.
V.2. Thit k mt IDS
V.2.1. Xc nh mc tiu ca IDS
c c mt IDS hiu qu nht, cn phi ln k hoch trc. Chun b trc
khi thit lp mt chnh sch thch hp, thng tin cn c tp hp, mng cn c phn
tch, v phi tin hnh qun l cc ri ro. Vi mt h thng phc tp, cc chnh sch cn
phi c to hp l v kim tra trc khi pht trin. Cc bc cn thit to cc chnhsch ca mt IDS: nh ngha cc mc ch s dng IDS; La chn nhng g cn kim
sot; La chn cc phn hi; Thit lp cc ngng; Ci t chnh sch.
Cc mc ch s dng IDS cung cp cho vic yu cu cc chnh sch IDS. Cc
mc ch c la chn da vo cc yu t sau:
Pht hin cc cuc tn cng
Chng li cc cuc tn cng Pht hin s vi phm chnh sch
p buc cc chnh sch s dng
p buc cc chnh sch kt ni
Tp hp du hiu
Cn phi ghi nh rng cc mc ch c th c phi hp v cc mc ch thc t
cho bt k IDS no ph thuc vo t chc ang trin khai n. y cha phi l mt danhsch y . IDS c th cho php mt t chc pht hin ra khi mt s tn cng bt u v
Su tm/Bin son: Nguyn Kim Tun 107
-
8/3/2019 Tap Bai Giang an Ninh Internet 5
10/31
Chng 5: An ninh Internet da trn IDS&IPS
cho php tp hp du hiu hoc ngn chn thit hi thm bng cch kt thc bin c. Tt
nhin, khng phi l mc ch duy nht m mt IDS c th phc v. Mt khi IDS thu
thp thng tin chi tit v nhng s kin xy ra trn cc h thng mng v my vi tnh ca
mt t chc, n cng c th xc nh c nhng hot ng xm phm chnh sch vcch dng thc t nhng ti nguyn mng.
S on nhn tn cng: S on nhn tn cng l chc nng thng dng
nht ca mt IDS. IDS l mt chng trnh tm kim cc kiu s kin nht nh no
, m t c th xc nh c mt s tn cng ang xy ra. Mt v d n gin, c
th l mt kt ni ti TCP cng 80 (HTTP) i theo bi mt URL bao gm phn m rng
l .bat. y c th l mt s biu hin ca mt k xm nhp ang c gng tin hnh tn
cng vo mt my ch WEB IIS.
a s cc ch k tn cng khng d dng nhn ra. V d, cc cuc tn cng kiu
on mt khu vn thng xuyn xy ra trn khp Internet. Mt HIDS c th c mt
quy tc l tm kim ba ln th ng nhp b tht bi bi mt account trong mt khong
thi gian ngn. lm c iu ny, HIDS phi theo di thi gian v s ln th ng
nhp tht bi ca mi account c lu li trn cc file log, v cn phi xc lp li s ln
m nu nh ng nhp thnh cng hoc ht khong thi gian c hiu lc.Mt v d phc tp hn v s on nhn tn cng l, mt k xm nhp th
on mt khu thng qua nhiu ti khon v nhiu h thng. Trong trng hp ny, k
xm nhp c th khng th ti khon hai ln k tip nhng thay vo th dng cng
mt mt khu trn mi ti khon t vo cc h thng. Nu thi gian dnh cho vic
th di, th khong thi gian dnh ring cho mi ti khon ht hiu lc trc khi k
xm nhp tht bi ba ln trn mi ti khon cho. Cch duy nht xc nh c s
tn cng kiu ny l phi kt ni thng tin tm thy trong mt s file log trn cc h thng
khc nhau. Mt HIDS c th kt ni thng tin thng qua cc h thng c th thc hin
c kiu phn tch ny.
Chnh sch kim sot: Chnh sch kim sot l tng t nh pht hin tn
cng. Mc ch ca mt IDS c cu hnh thc hin cc chnh sch kim sot n
gin vic kim sot tun theo hoc khng tun theo cc chnh sch ca cng ty. Trong
trng hp n gin nht, mt NIDS c th c cu hnh kim sot tt c lu lngmng ra ngoi mng. Cu hnh ny cho php NIDS kim sot bt k s khng tun theo
Su tm/Bin son: Nguyn Kim Tun 108
-
8/3/2019 Tap Bai Giang an Ninh Internet 5
11/31
Chng 5: An ninh Internet da trn IDS&IPS
no vi cc chnh sch s dng Internet. NIDS c th cnh bo i vi bt k kt ni no
n cc v tr nu n khng ng vi cc tiu chun c s dng trong h thng.
Mt NIDS cng c th kim sot da vo b nh tuyn hoc cc cu hnh ca
Firewall. Trong trng hp ny, NIDS c cu hnh tm kim lu lng m bRouter hoc Firewall khng cho php chuyn qua nu bt k lu lng no nh th c
nhn ra, th mt s xm phm ca chnh sch Firewall c ch ra.
Chnh sch p buc: Vic s dng mt IDS nh mt cng c p buc chnh
sch ly cu hnh ca Chnh sch kim sot nh mt bc b sung. i vi chnh sch
p buc, IDS c cu hnh bt hot ng khi mt s xm phm chnh sch c pht
hin ra. Trong v d u tin phn Chnh sch kim sot, chnh sch p buc IDS
khng ch nhn ra rng mt kt ni ang c gng kt ni n mt Website khng c
chp nhn m n cn c th a ra s ngn chn kt ni.
S phn hi cc bin c: Mt IDS c th l mt cng c c gi tr sau khi
mt bin c c xc nh. Trong khi IDS c th c dng xc nh bin c ban
u, mt bin c xy ra IDS c th s dng nh mt cng c thu thp du hiu v ghi
li d liu. Trong vai tr ny, mt NIDS c th c cu hnh tm kim cc kt ni
nht nh v cung cp vic ghi li d liu lu lng y . Cng lc, mt HIDS c thc cu hnh gi li mt bn ghi ca tt c cc mc ghi vo file log c lin quan n
mt ti khon c bit trn h thng.
V.2.2. Chn i tng theo di
Ni dung kim sot ph thuc vo mc ch ca IDS v mi trng IDS s hot
ng. V d, nu mc ch ca IDS l pht hin cc cuc tn cng v IDS c t trn
Internet bn ngoi Firewall ca cng ty, IDS s cn phi kim sot tt c lu lng i vobn trn Firewall xc nh cc cuc tn cng trc din. Cch khc, IDS c th c
t trong Firewall ch xc nh cc cuc tn cng xm nhp thnh cng vo
Firewall. Bng 5-1 cung cp cc v d v nhng g phi kim sot a ra cc chnh
sch c bit.
S la chn phi kim sot ci g nh hng n vic sp xp cc cm bin.
Cc cm bin c th c t bn ngoi Firewall, bn trong mng, trn cc h thng d b
xm nhp, hoc trn cc h thng c dng c bit cho vic tp hp file log v s x
l. Vn ch o l khi quyt nh sp t cm bin IDS th cm bin phi c kh nng
Su tm/Bin son: Nguyn Kim Tun 109
-
8/3/2019 Tap Bai Giang an Ninh Internet 5
12/31
Chng 5: An ninh Internet da trn IDS&IPS
kim sot c cc s kin cn quan tm, lu lng mng ca chng hoc cc mc c
ghi li. Nu cc s kin cn quan tm khng vt qua c Firewall th im t cm
bin NIDS bn trong Firewall khng phi l mt s la chn tt. Tng t, nu cc s
kin c quan tm ch c ghi vo cc my ch iu khin vng ca mt mngWindows NT, th phn mm HIDS phi c t trn my ch iu khin vng chnh v
mt k tn cng c th v mt vt l nm mt trm lm vic u trong mng.
Chnh sch NIDS HIDS
Pht hin cc cuctn cng
Tt c lu lng c kh nngi vo h thng ch(Firewalls, Web servers,Application servers, v
v)
Tht bi trong cc ln th ngnhpCc ln th kt ni.
Cc ng nhp thnh cng tcc h thng t xa
Ngn chn tn cng Ging nh vic pht hin cccuc tn cng
Ging nh vic pht hin cccuc tn cng.
Pht hin vi phmchnh sch
Tt c lu lng HTTP btngun t cc h thng client.Tt c lu lng FTP btngun t cc h thng client.Cc kt ni c nhn bit
trn cc cng game.
Cc kt ni HTTP thnh cng.Cc kt ni FTP thnh cng.Cc file c download.
Cng bc ccchnh sch s dng
Ging nh vic pht hin ccs vi phm chnh sch.
Ging nh vic pht hin cc svi phm chnh sch.
Cng bc ccchnh sch kt ni.
Tt c lu lng v phmchnh sch sch kt ni bcng bc.
Cc kt ni thnh cng t cca ch hoc cc cng b ngnchn.
Tp hp du hiu Cc ni dung ca ton b lulng bt ngun trn h thngch hoc h thng tn cng.
Tt c cc kt ni thnh cng th thng tn cng.Tt c cc kt ni khng thnhcng t cc h thng tn cng.Tt c cc phm c g trn
bn phm t cc phin tng tcca cc h thng tn cng.
Bng 5-1: Cc v d v thng tin kim sot a ra mt chnh sch IDS.
C mt kin ch o khc cn phi xem xt khi t cc cm bin NIDS. Nu
mng s dng cc Switche thay v Hub, th cm bin NIDS s khng hot ng mt cch
ng n nu n phi c kt ni n mt cng ca Switch. Switch s ch gi lu lngcho bn thn cm bin n cng m cm bin ny c cm vo. Trong trng hp ca
Su tm/Bin son: Nguyn Kim Tun 110
-
8/3/2019 Tap Bai Giang an Ninh Internet 5
13/31
Chng 5: An ninh Internet da trn IDS&IPS
mt mng Switch, c la chn mt trong hai cch sau dng cc cm bin NIDS: S
dng Switch kim sot cc cng hoc dng cho mt nhnh mng.
Vic s dng b kim sot cng c th to ra mt xung t vi nhn vin qun tr
mng nh cng ny cng c th c dng cho vic d li mng. Ngoi ra, cc bSwitch ch cho php kim sot mt cng ti mt thi im. B kim sot cng thng
khng cho php kim sot Switch BackBone. iu ny s khng lm vic trong bt k
trng hp no trong khi switch backbone ph hp vi vic chy tc vi giga
bt/giy cn cm bin NIDS ang s dng mt kt ni 100BaseT ( 100 mega bt/giy).
Mt kt ni nh vy s ngn chn NIDS truyn ti, v vy vic kt thc cc kt ni
thng khng th thc hin c trong cu hnh ny.
V.2.3. Chn thng tin phn hi
Ging nh vic la chn ni dung kim sot. La chn s phn hi b nh hng
bi cc mc ch ca IDS ca bn. Khi mt s kin xy ra, bn c th chn mt s phn
hi th ng (mt s phn hi khng trc tip ngn chn cc hot ng ca k tn cng)
hoc mt s phn hi ch ng (mt s phn hi trc tip c gng ngn chn cc hot
ng ca k tn cng). Cc phn hi th ng khng nht thit gi rng bn s cho
php mt s kin tip tc, nhng tt hn bn chn la khng cn IDS ca bn a ra
cc hot ng trc tip ca n. y l mt s phn bit quan trng cn phi ghi nh.
Cng s la chn mt s phn hi t ng chng li mt s phn hi c iu khin
bi con ngi phi c cn nhc.
S phn hi th ng:Mt s phn hi th ng l mt kiu thng dng nht ca hot ng khi mt s
xm nhp c pht hin. L do n gin l: cc s phn hi c mt xc sut thp canguyn nhn s nh thng n cc lu lng hp l trong khi tht d dng thc hin
bn trong mt cu thnh t ng y . Nh mt quy tc chung, cc s phn hi th
ng a ra cc dng ca vic thu thp thng tin hoc a ra nhng thng bo cho nhng
c nhn c y quyn bt cc hot ng nu cn thit.
Shunning: Trnh hoc l i mt s c gng tn cng l mt s phn hi thng
dng nht c dng hin nay. Trong a s cc trng hp, y l mt s gii hn phn
hi li ng ch sau khi mt T chc trin khai mt kt ni Internet v Firewall.
Ti im ny, T chc cn phi tin cy Firewall ngn chn cc cuc tn cng t
Su tm/Bin son: Nguyn Kim Tun 111
-
8/3/2019 Tap Bai Giang an Ninh Internet 5
14/31
Chng 5: An ninh Internet da trn IDS&IPS
Internet.
S phn hi ny cng c th c dng vi mt IDS phc tp. IDS c th c
cu hnh l i cc cuc tn cng da vo cc dch v khng tn ti hoc da vo
Firewall kh tn cng. Ghi nht k:khi bt k kiu s kin no xy ra, nh thng tin c kh nng s
c thu thp li cho php s phn tch chi tit hoc gip cho vic quyt nh bt
cc hot ng hay khng. Hot ng ca vic ghi li mt s kin l mt s phn hi th
ng. Bng cch thu thp cc thng tin c bn (nh IP, ngy gi, loi s kin, tin trnh
IDS, ngi s dng IDS, ..v..v), IDS nhn ra c mt s kin m bo cn phi ch .
Ghi nht k b sung:mt s phn hi r rng s thu thp c nhiu thng tin
hn v cc s kin bnh thng cn c gi li. V d, nu mt cu hnh ghi nht k
thng thng tp hp cc a ch IP v cc cng dnh cho cc kt ni, th vic nhn ra
mt s kin c th gy ra vic logging ca ngi s dng IDS, tin trnh IDS hoc ton
b lu lng vt qua kt ni.
Cc cnh bo IDS khng ch cnh bo mt s kin xy ra, m n cn cho
bit v s kin . Mt s cnh bo c th c nhiu dng khc nhau nh: mn hnh rung
ln, hoc ci bo ng ku ln, nhng thng bo c dng th t, hay my nhn tin. Tythuc vo tnh hnh ca s kin v cu hnh ca IDS, c mt loi cnh bo thch hp.
Ch : Cu hnh mt IDS gi mt li cnh bo khi c mt s kin xy ra c
th gy ra nhiu vn trong cc h thng th t hoc cc h thng nhn tin nu nh s
lng cc s kin xy ra nhiu trong mt khong thi gian ngn.
S phn hi ch ng:Mt s phn hi ch ng ti mt s kin cho php hot ng c kh nng lm
gim bt nhanh nht s nh hng ca s kin. Tuy nhin, nu khng c s kim sot
cn thn s phn nhnh ca cc hot ng v kim tra cn thn cc tp quy tc, cc li
phn hi ch ng c th gy ra s ph v hoc t chi dch v ca nhng ngi dng
hp php.
Kt thc cc kt ni, cc phin, hoc cc tin trnh: C l hot ng d dng
nht l kt thc s kin. iu ny c th c thc hin bng cch kt thc kt ni ca
k tn cng ang s dng (iu ny c th thc hin c nu nh s kin ang s dng
mt kt ni TCP), kt thc phin ca ngi s dng, hoc kt thc cc tin trnh gy ra
Su tm/Bin son: Nguyn Kim Tun 112
-
8/3/2019 Tap Bai Giang an Ninh Internet 5
15/31
Chng 5: An ninh Internet da trn IDS&IPS
vn .
Vic xc nh thc th no s kt thc c th c thc hin bi vic kho st s
kin. Nu mt tin trnh ang c dng trn nhiu ti nguyn ca h thng, loi b cc
hot ng dng cc tin trnh li. Nu ngi dng ang c gng truy xut vo mt khuvc d b tn cng hoc cc file khng c php truy xut, th vic kt thc phin lm
vic ca ngi dng ny l hot ng thch hp. Nu mt k tn cng dang s dng mt
kt ni mng ca mt h thng c gng xm nhp vo mt khu vc d b tn cng th
vic kt thc kt ni l thch hp.
Ch : S kt thc cng c th gy ra t chi dch v ti nhng ngi dng hp
php. V vy, cn phi chc chn rng bn c th xc nh c chnh xc s kin xm
nhp trc khi s dng loi hot ng ny.
Cu hnh li mng:Nu chng ta nhn thy rng c nhiu s c gng c
tin hnh truy nhp ti cc h thng mng ca cng ty t mt a ch IP nht nh,
chng ta c th c kh nng nhn thy mt cuc tn cng ang n t cc a ch IP c
bit. Trong trng hp ny, hy cu hnh li Firewall hoc b nh tuyn. Cu hnh li c
th tm thi hoc lu di cn ty thuc vo cc a ch IP v cc chi nhnh c cc hot
ng ti cng ty (ng tt c cc lu lng ti mt i tc doanh nghip trong nhiungy iu ny c th c nhng nh hng xu n nng sut). Cc lut mi hoc cc b
lc mi c th khng cho php bt k cc kt ni no t v tr b xm phm hoc cc kt
ni n cc cng c bit.
S nh la: Mt loi khc ca s phn hi ch ng l s nh la. Mt
s phn hi nh la d nh nh la k tn cng tin rng hn ta xm nhp thnh
cng nhng hn cha kp khm ph h thng. Cng lc , h thng ch ang c gng
tin hnh bo v cht ch hn na chng li k tn cng hoc d d k tn cng n
mt h thng khc hoc mt phn ca h thng ch c di n v tr an ton.
Mt loi na ca li phn hi nh la l honey pot. Mt honey pot l mt
h thng hoc i tng no trng c v d b tn cng la k tn cng tn cng
vo . Cng lc , mt k tn cng s quan st tt c cc hot ng u c ghi li.
Tt nhin, thng tin ca honey pot khng phi l tht, nhng c v l i tng quan
trng nht v tr .
T ng ha v s p tr t ng:
Su tm/Bin son: Nguyn Kim Tun 113
-
8/3/2019 Tap Bai Giang an Ninh Internet 5
16/31
Chng 5: An ninh Internet da trn IDS&IPS
Mt s phn hi t ng l cc hot ng quyt nh trc s c tin hnh khi
mt s kin c bit xy ra. Mt s phn hi nh vy thng c khng ch bi mt
th tc nhn dng cc s kch hot c bit bt u cc hot ng. Cc hot ng ny
c th hn ch t dng b ng n dng ch ng. Mt s phn hi t ng c th ckim sot bi nhiu ngi hoc bi nhiu my vi tnh.
Khi phn hi ti mt bin c c kim sot hon ton bi mt my vi tnh khng
cn s can thip ca con ngi, th chng ta c c mt s phn hi t ng. Mt s
phn hi nh th cn phi c kim sot mt cch r rng, k cng v kim tra k cc
quy tc. V s phn hi ny khng yu cu s can thip ca con ngi, n s xy ra nu
nh gp cc iu kin ca cc quy tc. Tht d dng to ra mt s phn hi t dng
ph v ton b lu lng mng.
Chnh sch S phn hi bi ngthch hp
S phn hi ch ng thchhp
Pht hin cc cuc tncng
Ghi nht kB sung nht kLi cnh bo
Khng c s phn hi ch ngthch hp
Ngn chn cc cuc tn
cng
Ghi nht k
Li cnh bo
Kt thc kt ni
Kt thc tin trnhCu hnh li b nh tuyn hocFirewall
Pht hin cc chnhsch b xm phm
Nht kLi cnh bo
Khng c s phn hi ch ngthch hp
Cng bc cc chnhsch s dng
Ghi nht kLi cnh bo
Kt thc kt niCu hnh li proxy
Cng bc cc chnh
sch kt ni
Ghi nht k
Li cnh bo
Kt thc kt ni
Cu hnh li b nh tuyn hocFirewall
Tp hp du hiu Ghi nht kB sung nht kLi cnh bo
nh laKt thc kt ni
Bng 5-2: Nhng v d v cc s phn hi ch ng v b ng thch hp c
cung cp a ra cho cng mt tp cc chnh sch xc nh trn.
V.2.4. Thit lp cc ThresholdCc ngng (threshold) cung cp cho s bo v chng li cc du hiu c kh
Su tm/Bin son: Nguyn Kim Tun 114
-
8/3/2019 Tap Bai Giang an Ninh Internet 5
17/31
Chng 5: An ninh Internet da trn IDS&IPS
nng sai, do lm tng cng hiu lc ca chnh sch IDS ca bn. Cc ngng c th
c s dng lc ra cc s kin ngu nhin t cc s kin c ch tm. V d, mt
ngi lm thu c th kt ni n mt website khng lin quan n doanh nghip bi cc
lin kt c cung cp t vic tm kim. Ngi lao ng c th ang thc hin mt stm kim hp php, nhng mt website khng thch hp c th c bo co bi cc
tham s tm kim sai. Trong trng hp ny, IDS s khng a ra bo co v mt s kin
n l. Mt bo co nh vy s ch dng cc ti nguyn kim sot mt hnh ng v ti.
Ging nh th, cc ngng pht hin ra cc cuc tn cng cn phi c t ra
l i cc cuc thm d mc thp hoc cc s kin thu nht thng n. S kin nh vy c
th bao gm mt s c gng tm ra mt ngi lao ng. Finger mt chng trnh c
dng trn cc h iu hnh Unix (lin quan n Internet), dng tm thy mt ngi
dng no c vo mng (internet) khng. Lnh ny hin th thng tin v ngi dng,
ty theo h iu hnh v chnh sch an ton. Lnh ny i hi tn ca ngi dng. S c
gng finger n nhiu ngi lao ng trong mt thi gian ngn, cng c th l mt du
hiu ca mt k tn cng mun thu thp tin tc c gi tr trn cc h thng ca bn.
Vic la chn cc ngng thch hp cho mt IDS cn ph thuc trc tip vo cc
loi s kin v nhng s vi phm chnh sch c th xy ra. Khng th no xc nh cmt tp cc ngng c th c ng dng ph bin. Tuy nhin, c th xc nh c cc
tham s xem xt trong vic t cc ngng. Cc tham s l:
S thnh tho ca ngi dng: mt s lng ng k cc li ca ngi dng
c th gy ra cc li cnh bo sai.
Tc mng: Cc mng chy chm cng c th gy ra cc cnh bo sai i vi
cc s kin yu cu cc gi phi chc chn xut hin trong khong thi gian c bit.
i hi cc kt ni mng: Nu IDS c cu hnh cnh bo trn cc kt ni
mng no v cc kt ni mng ny thng xy ra cc cnh bo, th cc cnh bo sai s
pht sinh.
Ngi qun tr/khi lng cng vic ca nhn vin bo mt: Khi lng cng
vic cao ca nhn vin bo mt c th cho php cc ngng cao s nh hng n s
lng cc cnh bo sai.
nhy ca cm bin: Nu nh cm bin rt nhy, cn phi t cc ngng
cao trnh xa cc li cnh bo sai.
Su tm/Bin son: Nguyn Kim Tun 115
-
8/3/2019 Tap Bai Giang an Ninh Internet 5
18/31
Chng 5: An ninh Internet da trn IDS&IPS
Hiu lc ca chng trnh bo mt: Nu nh chng trnh bo mt ca mt t
chc rt hiu lc, mt IDS c t phng th trn mng n c kh nng lm cho cc
cuc tn cng tht bi.
Tn ti cc tnh trng d b tn cng: Khng c l do no cnh bo cho cck tn cng v cc tnh trng d b tn cng khng tn ti trn mng.
nhy ca cc h thng v thng tin: thng tin c dng trong mt t chc
cng nhy th cn phi t cc ngng thp cho cc li cnh bo.
Hu qu ca xc thc sai: Cnh bo sai s rt nghim trng, n c th thch
hp vi vic t cc ngng cao, nh th s gim bt c cc du hiu sai.
Hu qu ca t chi sai: Ngc li, hu qu ca cc t chi sai l rt nghimtrng, n c th thch hp vi vic t cc ngng thp.
Ch :Cc ngng l c trng ring ca mi T chc. Cc nguyn tc chung c
th c cung cp, nhng mi T chc phi tin hnh xc nh da trn cc tham s.
V.2.5. Ci t chnh sch
Trn thc t vic ci t chnh sch ca IDS cn phi lp k hoch tht cn thn.
Phi lun ghi nh n iu ny, chnh sch IDS c trin khai trn giy vi cc cuckim nghim v kinh nghim thc t. Mi chnh sch IDS cn phi c trin khai v
vic thit lp cc ngng cn phi c tnh ton, IDS nn c t vo cng ch vi
chnh sch cui t hn cc phm vi ch ng. IDS cn c kim sot cht ch cc
khong thi gian trong khi cc ngng c nh sn. Theo cch ny, kinh nghim vi
chnh sch c th c li khng dn n vic ph v lu lng mng hp l hoc s truy
xut vo my vi tnh.
Trong sut qu trnh chy th v th nghim bt k s kho st no cng c bt
u t IDS phi c thc hin mt cch cn thn nh gi ng n thng tin c
cung cp bi IDS.
V.3. Qun l v s dng IDS
Khi nim pht hin xm nhp khng cn mi m trong lnh vc bo mt. Tuy
nhin, khng phi cho n tn by gi cc h thng IDS mi tr nn kh dng trn th
trng thng mi. Hin nay c mt vi h thng mng HIDS kh dng c a ra
bi nhiu nh cung cp khc nhau.
Su tm/Bin son: Nguyn Kim Tun 116
-
8/3/2019 Tap Bai Giang an Ninh Internet 5
19/31
Chng 5: An ninh Internet da trn IDS&IPS
Trc khi quyt nh ci t mt IDS cho mng ca T chc, t chc nn hiu
cc mc ch ca chng trnh. C gng cu hnh v qun l mt IDS ng cch rt quan
trng n c li cho vic tin hnh ngn chn xm nhp, bng cch to ra mt chng
trnh bo mt tt. Nu mc ch ca IDS bao gm kh nng kim sot cc cuc tn cng 24
gi/ngy, th cc nhn vin s cn phi m bo c tt c cc gi ca ngy v c ban
m. ng thi, ngi qun tr h thng s c yu cu lm vic vi nhn vin bo mt
xc nh s tn cng v nh th lm th no qun l bin c. Cc th tc qun l
bin c s c to v th nghim trong qu trnh ci t IDS.
Thng tin m IDS cung cp
Mt h thng pht hin xm nhp ch c th bo co nhng g m n c cu
hnh cho vic bo co. C 2 thnh phn cu hnh mt IDS. Thnh phn u tin l
cc ch k ca s tn cng c lp trnh trong h thng. Thnh phn th hai l
cc s kin b sung m ngi qun tr nhn ra. y c th bao gm cc loi lu lng
hoc cc loi ca thng bo log.
Vi s quan tm n cc ch k c lp trnh trc, nh cung cp hoc ngi to
h thng t cc li gii thch ca h trn cc s kin quan trng. Cc vn quan trng
c gn cho mt T chc c th khc bit so vi s gn sn ca cc nh sn xut. iu
c th thch hp vi s thay i cc thit lp u tin mc nh ca mt vi ch k
hoc loi b hon ton nhng ch k ny nu n khng ph hp vi T chc.
Ch : Cn phi ghi nh rng IDS s ch cnh bo cc s kin m n nhn bit
c. Nu h thng ang c kim sot bi mt cm bin HIDS khng ghi li cc s
kin, cm bin HIDS s khng nhn bit c cc s kin ny. Tng t nh th, nu
mt cm bin NIDS khng th nhn ra lu lng, n s khng cnh bo cho d nu nh
s kin xy ra.
Gi s rng IDS c cu hnh ng, th c bn loi s kin m IDS s ch ra cho
bn: Cc s kin thu thp thng tin; Cc s kin tn cng; Cc s vi phm chnh sch;
Cc s kin khng r rng hoc ng nghi ng.
V.3.1. Do thm cc s kin
Cc s kin do tham l n lc ca k tn cng tp hp thng tin v mt h
Su tm/Bin son: Nguyn Kim Tun 117
-
8/3/2019 Tap Bai Giang an Ninh Internet 5
20/31
Chng 5: An ninh Internet da trn IDS&IPS
thng hoc nhiu h thng trc khi n thc hin mt cuc tn cng. Cc s kin ny c
th c chia lm 5 loi: Do thm; Qut cng; Qut Trojan; Vulnerability scans; File
snooping. a s cc s kin ny s xut hin trn mng t cc a ch ca cc h thng
bn ngoi Internet.Cc s kin thu thp thng tin c gng tp hp thng tin v cc h thng. Chng
khng phi l cc s kin tha hip vi h thng. Mt vi h thng IDS thng mi cu
hnh cc s kin thu thp tha hip vi mt h thng, iu ny khng ph hp.
Do thm l vic c gng nhn dng cc h thng tn ti trn mng, cch ny
ngn cn h thng ngun b nhn din. Cch ny s do thm cc a ch IP trn cc cm
bin NIDS v n thng qut c s lng ln cc a ch IP. i ph vi vic do
thm cn phi nhn dng c h thng ngun v c nhn s dng h thng ngun ang
tha hip vi h thng.
Qut cng c dng xc nh cc dch v c h tr bi cc h thng
trn mng. H thng pht hin xm nhp s nhn dng c mt hot ng qut cng khi
cc cng (theo ngng) trn mt h thng n c m trong mt khong thi gian
ngn. Cc cm bin NIDS v HIDS s nhn ra hot ng qut cng v s bo co v hot
ng ny. Vic i ph vi qut cng cng ging nh i ph vi vic do thm. Qut Trojanhin ti c rt nhiu chng trnh Trojan. Cc cm bin NIDS c
cc ch k nhn dng ra chng. ng tic, lu lng ti cc chng trnh Trojan
thng c xc nh bi cng ch ca cc gi tin. y l nguyn nhn ca pht sinh
tht bi trong vic nhn dng cc chng trnh Trojan. Trong trng hp ny cn phi
kho st cng ngun ca lu lng. V d, nu lu lng c ngun trn cng 80 th l
lu lng t mt Website.
Mt trong nhng loi tt nht Qut Trojan l BackOrifice. BackOrifice s dng
cng 31337 v thng thng mt k tn cng s qut mt dy cc a ch IP ca cng
ny. BackOrifice cng bao gm chc nng ping host c tin hnh t ng. iu ny
khng ng lo nu nh lu lng ca mt h thng trong khng c xc nh. S i
ph thch hp vi vn ny l lin lc vi k nm gi h thng ngun h thng
tin hnh tha hip.
Vulnerability Scans s xut hin trn mt NIDS mt s lng ln cc ch ktn cng khc nhau. Thng thng, vic qut ny c tin hnh cc h thng ang
Su tm/Bin son: Nguyn Kim Tun 118
-
8/3/2019 Tap Bai Giang an Ninh Internet 5
21/31
Chng 5: An ninh Internet da trn IDS&IPS
hot ng. Him khi tin hnh qut cc dy a ch ca cc h thng khng hot ng.
Vulnerability (d b tn cng) scans t mt k tn cng khng th phn bit c
vi Vulnerability scans c thc hin bi cc hng th nghim bo mt (trong nhiu
trng hp cc cng c nh th c s dng). Trong bt k trng hp no, vicqut t n khng th tha hip c vi mt h thng nhng nu mt hacker thc hin
qut th tt c cc h thng d xm nhp s b tn cng. K s hu h thng ngun c th
lin lc c vi cc h thng bn trong chc chn rng chng c th lm thay i
ngy gi.
File Snooping hoc th cc quyn s dng file c thc hin bi mt ngi
dng bn trong. Ngi dng ang c gng xc nh cc file no c th c truy cp v
ci g chng c th lu tr. Kiu thu thp thng tin ny ch xut hin trn mt cm bin
HIDS v h thng ang ghi nht k cc truy xut tri php. Cc s kin n l hu nh
chc chn li nhng nu mt mu c nhn thy th ngi dng nn lin h xc nh
ci g ang lm.
Cc s kin tn cng:Cc s kin tn cng l cc s kin yu cu s phn hi nhanh nht. Nu IDS
c cu hnh ch nhn dng mt s kin u tin cao nu bit mt im d b tn cng
bn trong b khai thc. Trong trng hp ny, th tc phn hi bin c phi c ci
t ngay lp tc.
Cn phi ghi nh rng IDS s khng bit s khc nhau gia mt s tn cng tht
s v mt s vulnerability scan tm kim mt s tn cng. Ngi qun tr IDS phi
nh gi c thng tin c hin th bi IDS a ra quyt nh nu l mt cuc
tn cng tht s. Trc tin cn phi tm kim s lng cc s kin. Nu thy s cc chk tn cng khc nhau trn cng mt h thng th n c th l mt cuc tn cng thc s.
Cc vi phm chnh sch:a s cc h thng IDS thch ng vi cc ch k dnh cho cc s kin nh: Chia
s file (Gnutella, Kazaa, v.v..); Thng bo ngay lp tc; Cc phin Telnet; Cc lnh r
(rlogin, rsh, rexec).
Trong a s cc T chc vic s dng kiu lu lng ny chng li chnh sch ca
t chc. Cc vi phm chnh sch nh vy nguy him cho t chc hn cc cuc tn cng
Su tm/Bin son: Nguyn Kim Tun 119
-
8/3/2019 Tap Bai Giang an Ninh Internet 5
22/31
Chng 5: An ninh Internet da trn IDS&IPS
tht s. Trong a s cc trng hp, s kin tht s xy ra. Nh vy, cc file ang
c chia s hoc cc h thng c cu hnh cho php rlogin (ng nhp t xa).
Lm sao t chc ca bn la chn phc p ti cc vi phm chnh sch khc
nhau, iu ny cn ty thuc vo cc chnh sch bn trong v cc cng vic ca t chc.Tuy nhin, ti thiu ngi qun tr h thng hoc c nhn c lin quan phi hiu cc
chnh sch ca t chc.
Cc s kin kh nghi:Cc s kin khng thun li ri vo cc s kin ng ng. Mt s kin kh nghi l
mt s kin n gin khng hiu c. V d, mt kha registry ca Windows NT server
b thay i m khng c l do r rng. N c v khng phi l mt s tn cng vkhng c du hiu ti sao n thay i. Mt v d khc c th l mt gi tin vi cc
header flags vi phm giao thc chun. Liu y c phi l mt s do thm mt h
thng c card giao din mng km, hoc mt gi tin c li truyn ti? Cc s kin c
bo co bi IDS khng cung cp thng tin y tr li cho cc cu hi v nhn dng
tt s kin hoc mt s tn cng.
Tng t nh cc s kh nghi c th bt ng v lu lng mng xut hin trn
mng bn trong? Cc s kin kh nghi cn phi c iu tra ti phm vi cho php bi
cc ti nguyn sn c.
Ch : iu tra v cc s kin kh nghi c th chim a s thi gian lm vic.
Thng thng iu ny ph hp cc s kin ny i hoc vt qua thng tin trn mng
hoc cc qun tr h thng.
V.3.2. Khm ph cc s kin kh nghi
Khi mt hnh ng kh nghi xut hin, c bn bc c tin hnh xc nh
hnh ng l mt hot ng hp php hay mt s c gng xm nhp, hoc n l mt
hnh vi hp php. Cc bc c trnh by nh sau:
1. Nhn dng cc h thng.
2. Ghi li lu lng b sung gia ngun v ch.
3. Ghi li ton b lu lng t ngun.
4. Ghi li cc ni dung ca cc gi tin t ngun.
Lm theo mi bc s xc nh cc du hiu ca s kh nghi nhn dng
Su tm/Bin son: Nguyn Kim Tun 120
-
8/3/2019 Tap Bai Giang an Ninh Internet 5
23/31
Chng 5: An ninh Internet da trn IDS&IPS
hnh ng l mt s tn cng hay khng phi. Cc bc ny m t c m t cc
phn di y:
Ch : C mt iu cn phi ghi nh trong khi iu tra mt s kin. Nu mt s
kin xy ra mt ln v khng lp li th rt kh cho vic bit thm thng tin b sung.iu ny s kh c th hon thnh c vic iu tra.
Nhn dng cc h thng:
Bc u tin trong vic kho st cc hot ng kh nghi l phi nhn dng cc h
thng c lin quan. y chnh l vn gii quyt chuyn i cc a ch IP sang cc tn
host. Trong mt vi trng hp, tn host c tm thy (h thng c th khng c DNS,
n c th l mt DHCP client, mt DNS server xa c th khng hot ng, v.v).
Nu DNS tra cu tht bi, th bn cn phi c gng nhn dng host bng cch tra cu
thng qua cc phng tin khc nh American Registry of Internet Numbers (ARIN) ti:
http://www.arin.net, Internic ti: http://www.networksolutions.com/ , hoc cc th mc
Internet khc. Cc cng c nh: Sam Spade ( tm ti: http://samspade.org ) cng c th c
ch y. S tht bi nhn dng ngun hoc ni n ca cc hot ng kh nghi, y
cng khng hon ton l du hiu nhn bit mt s kin l mt hot ng tn cng.
Tng t, nhn dng thnh cng cc h thng thng thng cng khng cung cp cdu hiu l mt hot ng hp php.
Ch : Ngun ca cc lu lng kh nghi cha chc l ngun cui cng ca
mt cuc tn cng. Tn cng kiu t chi dch v thng s dng cc a ch ngun
nh la, v s truy xut tri php hoc thm d c th xut pht t cc h thng ca mt
k tn cng khai thc.
Ghi li cc lu lng b sung gia ngun v ch:Vic quan st mt s kin n l (nh mt s xm phm giao thc IP) c th
khng cung cp nht k y lu lng gia hai h thng. Theo cch nhn nhn khc,
tht l quan trng hiu c ng cnh ca hot ng kh nghi. Mt v d tt hiu
iu ny l ch k tn cng WIZ (SendMail). y l mt ch k nhn dng mt s
c gng khai thc lnh WIZ trong SendMail. S kin bo mt ny nhn dng bt k th
hin no ca WIZ trong thng ip Mail. Nu WIZ xut hin trong ni dung ca
thng ip, th y cha chc phi l mt s c gn xm nhp. Hiu c ng cnh
ca s kin s gip cho vic nhn dng c iu ny trnh khi s tht bi.
Su tm/Bin son: Nguyn Kim Tun 121
http://www.arin.net/http://www.networksolutions.com/http://samspade.org/http://www.arin.net/http://www.networksolutions.com/http://samspade.org/ -
8/3/2019 Tap Bai Giang an Ninh Internet 5
24/31
Chng 5: An ninh Internet da trn IDS&IPS
Tn s kinHotng
IP ngun IP ch Giao thcCngngun
Cngch
SUS_ACT Cnhbo,
ghi li
Ngunca cc s
kin khnghi
ch cacc s
kin khnghi
TCP, UDP, ICMP,ty thuc vo cc
loi hot ng kimquan st c
Bt k Bt k
Bng 5.5: Mt v d v cu hnh IDS ghi li tt c lu lng gi hai h thng.
Cu hnh IDS kim sot ton b lu lng gia ngun v ch ca cc hot
ng kh nghi. V d v vn ny c trnh by ti bng 5.5.
Mt cu hi c t ra l: vic ghi li cc lu lng gia cc h thng ngun v
ch cho chng ta bit c nhng g? Trc tin, n cho bit v nhng lu lng khc
nhau ang din ra gia cc h thng ngun v ch. Nu gi tin WIZ l lu lng duy
nht gia hai h thng, th iu ny c th cho chng ta bit c rng ang c mt s c
gng xm phm h thng. Mt khc, nu chng ta thy mt lng ln lu lng SMTP
(mail) gia hai h thng, th chng ta c th xem l lu lng mail hp l.
Ghi li ton b lu lng t ngun:
Gi thit rng d liu c tp hp bi vic ghi li ton b lu lng gia hai h
thng kh c th xc nh c u l cc hot ng hp l hay khng. Chng ta c thbt u tp hp lu lng khc t ngun. Cn phi ghi nh rng, iu ny c th c phn
gii hn. Nu ngun ca cc hot ng kh nghi nm trn mt vi mng xa, bn s ch
c th kim sot c lu lng i vo v tr ca bn. Nu ngun l cc b, bn c th c
kh nng tng hp c ton b lu lng t my v v vy bn s c c mt s
quyt nh nhng g thc s ang tip tc.
bt u vic tng hp ton b lu lng t ngun, cu hnh IDS pht hin ra
s tng hp ton b thng tin t ngun kh nghi. V d dnh cho cu hnh nh vy c
trnh by trong bng 5.6.
Tn skin
Hotng
IPngun
IPch
Giao thcCngngu
n
Cngch
SUS_SRC Cnh bo,ghi li
Ngun cacc s kin
kh nghi
Bt k TCP, UDP, ICMP,ty thuc vo cc
loi hot ng kimquan st c
Bt k Bt k
Bng 5.6: Cu hnh IDS tng hp tt c lu lng t mt a ch ngun c lin quan.
Su tm/Bin son: Nguyn Kim Tun 122
-
8/3/2019 Tap Bai Giang an Ninh Internet 5
25/31
Chng 5: An ninh Internet da trn IDS&IPS
Cu hnh ny c th pht sinh thm thng tin no khng c li cho vic kho
st ca bn. Min l bn c th xem xt thng tin mt cch khch quan, bn c th dng
nht k ca s vic ny gip bn c c mt ci nhn r nt v cc tng tc tip
theo gia ngun v v tr ca bn.C gng hiu hot ng m bn ang nhn thy. N c phi l lu lng Web? N
c phi l lu lng mail? C phi lu lng bt ngun t ngun kh nghi hoc trn v tr
ca bn?
im ny, trong s kho st bn cn phi bit nhng iu sau:
Tn ca h thng ngun
Loi lu lng, tn s lu lng hoc lu lng trao i gia ngun v ch. Loi lu lng, tn s lu lng hoc lu lng trao i gia ngun v cc h
thng ti v tr ca bn.
Thng tin ny gip cho bn c c ci nhn r nt v tnh t nhin ca lu
lng kh nghi. Tuy nhin, y cng khng phi l du hiu bn c th quyt nh
c y c phi l mt s c gng xm nhp hay khng.
Ghi cc ni dung ca cc gi tin ca ngun:Bc cui cng trong vic kho st l ghi li cc ni dung ca cc gi tin t
ngun. iu ny ni ln rng phng php ny ch c dng trn cc giao thc da trn
nn vn bn nh: telnet, FTP, SMTP, v HTTP (ti phm vi no ).
Nu cc giao thc nh phn hoc m ha c dng, th phng php ny khng
c li ch g c. lm iu ny, thay i cu hnh IDS nh trong bng 5.6.
Bng cch ghi li cc ni dung ca gi tin, bn c th thu thp c mt h s y
v phin lm vic v cc lnh no c s dng gi n ch.
Mt ln bn bt gi c d liu no , xc nh xem bn tm thy c
nhng g. C phi y l mt phin lm vic c du hiu v kh nng ca mt s tn
cng hay l mt hot ng hp l? Thng tin ny c phi hp vi thng tin khc
bn thu thp c i n cu tr li.
Nu bn khng th a ra c quyt nh, th hy c gng tm kim mt du hiu
n l no da vo kinh nghim hiu bit v cc giao thc khi tin hnh kho st ca
bn.
Su tm/Bin son: Nguyn Kim Tun 123
-
8/3/2019 Tap Bai Giang an Ninh Internet 5
26/31
Chng 5: An ninh Internet da trn IDS&IPS
Tn skin
Hot ng IPngun
IPch
Giaothc
Cngngun
Cng ch
SUS_ACT Cnh bo,ghi li cc
ni dungca gi tin
Ngunca cc
s kinkh nghi
ch cacc s
kin khnghi
TCPhoc
UDP
Bt k Cng m lulng c
xc nh lkh nghi
SUS_ACT Cnh bo,ghi li ccni dungca gi tin
ch cacc hotng khnghi
Ngunca cchot ngkh nghi
TCPhocUDP
Cng mlulngc xcnh lkh nghi
Bt k
Bng 5.7: Mt v d v cu hnh IDS bt gi cc ni dung ca gi tin.
V.3.3. Ngn chn xm nhp
IPS tr thnh tiu im cho cc sn phm gn y trong lnh vc phng chng
xm nhp. Mt khi nim mi dng thay i kh nng chng tr ca IDS chng li
s xm nhp t mt ni no . C nhiu sn phm xc tin khi nim ny. Tuy
nhin, mt s sn phm c thit lp cng c kh nng ny.
chng li c mt s xm nhp t mt ni no , th mt cuc tn cng thc
s phi c ngn chn ngay trc mc tiu ca h thng ch hoc ngn chn ngay
trc khi h thng ch thc thi cc m d b tn cng.
C ch chng li mt cuc tn cng c th d dng thy c trn mt HIDS.
V d nh xem: System call analyzers hoc application behavior analyzers. Nu li gi
mt ng dng xut hin mt s tn cng th system call analyzer c th chng li li gi
thc thi t h iu hnh. Nu mt ng dng c gng thc hin mt ng dng n khng
c php thc hin th application behavior analyzers c th chng li vic thc hin .Trong c hai trng hp, HIDS u c th chng li tn cng.
Dng NIDS chng li mt cuc tn cng phc tp hn nhiu. Trong cu hnh
NIDS chun, cc b cm bin c t ni c th thy c lu lng ca mng. Khi
tn cng vo ng kt ni, th cc b cm bin s bt gi cc gi tin v bt u phn
tch n. i khi, cc b cm bin phi quyt nh cc gi tin c phi l mt cuc tn cng
hay khng a ra hnh ng thch hp. Hot ng ny thng l kt thc mt s kt
ni (ch c khi s xm nhp s dng kt ni TCP) hoc mt Firewall cu hnh li kho
cc lu lng t ngun.
Su tm/Bin son: Nguyn Kim Tun 124
-
8/3/2019 Tap Bai Giang an Ninh Internet 5
27/31
Chng 5: An ninh Internet da trn IDS&IPS
Sau thi gian di NIDS lm vic khng tt. Nh cc b cm bin ang phn tch
cc gi, trong khi cc gi li ang tip tc i vo trong mng. Trong a s trng hp,
gi tin n c ch trc khi kt ni cha kt thc hoc khi m Firewall c th thc
hin bt gi li. Bi vy, cc cuc xm nhp thng tho hip c vi h thng chtrc khi cc b cm ng a ra hot ng chng li n.
i vi mt NIDS chng li cc cuc tn cng tha hip thnh cng vi mt h
thng, quyt nh v mt gi tin cn phi c tin hnh trc khi gi tin c php
i ti h thng ch. iu ny c ngha l, cu trc ca mt h thng NIDS cn phi c
thay i cm bin NIDS c t ni tuyn gia lu lng (ging nh mt Firewall)
hn l vic ch kim sot lu lng.
Tm li:
IPS: L mt h thng chng xm nhp (Intrusion Prevention System IPS)
c nh ngha l mt phn mm hoc mt thit b chuyn dng c kh nng pht hin
xm nhp v c th ngn chn cc nguy c gy mt an ninh mng. IDS&IPS c rt nhiu
im chung, do h thng IDS& IPS c th c gi chung l IDP-Intrusion Detection
and Prevention. Trc cc hn ch ca h thng IDS, mt vn c t ra l lm sao
c th t ng ngn chn c cc tn cng ch khng ch a ra cc cnh bo nhmgim thiu cng vic ca ngi qun tr h thng. H thng IPS c ra i (nm 2003)
v ngay sau n c ph bin rng ri.
Kt hp vi vic nng cp cc thnh phn qun tr, h thng IPS xut hin dn
thay th cho IDS bi n gim bt c cc yu cu tc ng ca con ngi trong vic
p tr li cc nguy c pht hin c, cng nh gim bt c phn no gnh nng ca
vic vn hnh. Hn na trong mt s trng hp c bit, mt IPS c th hot ng nh
mt IDS bng vic ngt b tnh nng ngn chn xm nhp. Ngy nay cc h thng mng
u hng ti s dng cc gii php IPS thay v h thng IDS c.
Pht hin xm nhp l tin trnh theo di cc s kin xy ra trn mt h thng
my tnh hay h thng mng, phn tch chng tm ra cc du hiu xm nhp bt hp
php. Xm nhp bt hp php c nh ngha l s c gng tm mi cch xm hi
n tnh ton vn, tnh sn sng, tnh c th tin cy hay l s c gng vt qua cc c ch
bo mt ca h thng my tnh hay mng . Vic xm nhp c th l xut pht t mt ktn cng no trn mng Internet nhm ginh quyn truy cp h thng, hay cng c th
Su tm/Bin son: Nguyn Kim Tun 125
-
8/3/2019 Tap Bai Giang an Ninh Internet 5
28/31
Chng 5: An ninh Internet da trn IDS&IPS
l mt ngi dng c php trong h thng mun chim ot cc quyn khc m h
cha c cp pht.
Hnh 5.3: m bo an ninh mng vi IPS
C hai vn chnh l: kh nng t chi dch v v cc vn lin quan n
tnh kh dng.
T chi dch v:Ngn chn xm nhp c c ch phn hi chnh, l m rng cnh bo ca h thng,
ca mng v ca cc qun tr bo mt. C ch chnh by gi l ngn chn c cc hot
ng c gng th. Khi mt IDS bt c mt s tn cng, n chn mt hot ng angxy ra, c th l li gi h thng, hot ng ca ng dng, hoc kt ni mng. S chn
ny s ngn chn vic tn cng. Tt nhin, cn phi gi thit rng IDS nhn dng ng
mt hot ng tn cng.
Nu hot ng khng phi l mt s tn cng v IDS chn hot ng khi n ang
xy ra, th IDS chn phi mt hot ng hp l. iu ny c ngha l IDS gy ra
mt s t chi dch v xy ra. Nu hot ng ny gy ra mt vi vn bt thng
(nh mt gi tin vi cc li), th gi tin s c truyn li hoc c gng kt ni li c th
s thnh cng. Tuy nhin, nu IDS nhn dng sai cc hot ng hoc cc lu lng hp
Su tm/Bin son: Nguyn Kim Tun 126
-
8/3/2019 Tap Bai Giang an Ninh Internet 5
29/31
Chng 5: An ninh Internet da trn IDS&IPS
l l cc cuc tn cng, th y chnh l iu kin gy ra t chi dch v.
Ch :Cc cm bin IDS hin nay i khi b tht b khi ngn chn cc hot ng,
do khng c s hiu bit y v cc vn cu thnh ln kh nng tht bi v cc vn
cu thnh ln cc hot ng hp l l nguyn nhn ca cc vn .
Tnh kh dng:Tnh kh dng ca cc mng v cc h thng l mt phn quan trng ca bt k
vic ci t my tnh no. Cc t chc phi b ra mt s tin ln v phn ln thi gian
cu hnh cho cc mng v cc h thng ca h lm gim bt s tht bi. Nu cm bin
IDS c ci t theo cch cho ton b lu lng vt qua n, th cm bin NIDS phi
c cc yu cu v tnh kh dng cao ca cc thnh phn mng khc. Tng t i vi cccm bin HIDS c t trn h thng my ch. Nu phn mm cm bin b ph hy th
hot ng s b mt hoc s b dng li. Trong mi trng i hi tnh kh dng cao v
quan trng, cc vn ny cn phi c gii quyt trc khi cc h thng c ci t.
TNG KT CHNG 5:
Chng ny trnh by cc vn v IDS&IPS, cc loi IDS, v tr v vai tr ca
HIDS v NIDS trong cc s mng (Intranet/Extranet) c quan tm n yu t m bo
an ninh cho mng v ngn chn cc tnh hung xm nhp bt hp php (b tn cng) c
th xy ra.
Qun l v s dng IDS c cho l phn quan trng nht ca chng ny. y
trnh by r cc vn v do thm cc s kin, khm ph cc s kin kh nghi,, vi
mc ch gip ngi c thy c cu hnh, hot ng, s cn thit v li ch m h
thng IDS&IPS mang li.
Su tm/Bin son: Nguyn Kim Tun 127
-
8/3/2019 Tap Bai Giang an Ninh Internet 5
30/31
Chng 5: An ninh Internet da trn IDS&IPS
C. HNH THC V PHNG PHP DY HC
a. Ni dung:
Trnh by bng kt hp vi trnh chiu Powerpoint
t vn , trao i
b. Sau khi hc xong l thuyt sinh vin vn dng tr li cc cu hi cui
chng h thng ha li kin thc chng.
D. TI LIU THAM KHO
Hc liu bt buc:
[1]. Nguyn Kim Tun, gio trnh An ninh Internet, 2011.
Hc liu tham kho:[1].Nguyn Kim Tun, gio trnhAn ton mng, 2007.[2].Nguyn Minh Nht, gio trnh Gii thiu An ninh mng, 2009.[3].Ross Anderson, Security Engineering (Version 1), 2001.[4].Chris Hare and Karanjit SiyanInternet, Firewalls and Network Security (2nd
edition), 1996.[5].Andrews S.Tanenbaum, Computer Networks (Fourth Edition), 2003.[6].Eric Maiwald, Fundamentals of Network Security, 2004.[7].William Stallings, Network Security Essential: Application and Standards (2 nd
edition), 2003.
* Cc tiu liu t m khng s dng trong chng ny.
Su tm/Bin son: Nguyn Kim Tun 128
-
8/3/2019 Tap Bai Giang an Ninh Internet 5
31/31
Chng 5: An ninh Internet da trn IDS&IPS
E. CU HI/BI TP CHNG 5:
Cu 1: IDS l g? Vai tr ca IDS trong chnh sch an ninh mng? a ra v phn tch
mt s mng trong c s xut hin ca mt h thng IDS
Cu 2: Nguyn tc hot ng ca NIDS v HIDS l g? Phn bit s khc nhau gia
NIDS v HIDS? Cho s minh ha thy s khc nhau gia NIDS v HIDS.
Cu 3: Gii thch r v vai tr, hot ng v mc ch s dng ca cc loi cm bin
HIDS? Theo sinh vin th loi cm bin no mang li hiu qu cao nht trong vic m
bo an ninh cho mng Intranet? Gii thch r iu ny.
Cu 4: Phn tch r cc bc cn thc hin trong qu trnh thit k mt IDS. C g khcnhau gia thit k IDS v IPS khng?
Cu 5: Phn tch r hot ng ca mt IDS, IPS v cm bin da trn ch k ca HIDS?
Cu 6: Phn bit IDS v IPS. Xy dng mt m hnh an ninh cho mng ni b trong
c h thng IPS (da trn phn mm pht hin xm nhp no ).